IT GRC: Combining disciplines for better enterprise security

IT governance, risk management and compliance (GRC) is a growing area of information security that isn't clearly defined. In this tip, Forrester Research's Khalid Kark defines the components of IT GRC and offers advice on how CISOs and organizations can adopt unified governance, risk management and compliance strategies to build a successful IT GRC program.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

in silos within organizations.

Today, many organizations no longer see these activities as individual, one-time projects handled in separate parts of an organization. Many commonalities and interrelationships exist between these three disciplines.

Adopting a unified IT governance, risk management and compliance (IT GRC) approach, and managing the associated activities coherently will create efficiencies, provide a holistic view of the IT environment and ensure accountability.

Defining the components of IT GRC Business imperatives, increased regulatory pressure and customer demands are forcing many CIOs and CISOs to adopt a structured, enterprise-wide approach to IT GRC. Today, enterprises are acknowledging that a mishmash of technologies and processes working in silos inevitably leads to inefficiency, increased costs and present higher risks to the organization.

There is currently a lot of confusion on what exactly IT GRC is and what subcomponents to consider when establishing a program. Although the specifics of developing an IT GRC program will vary based on the individual circumstances of every organization, having common definitions and broad objectives for each area will establish a high-level approach for the program.

IT governance establishes decision structures and tracking mechanisms. At its most basic definition, IT governance primarily determines how decisions are made, who makes the decisions, who is held accountable and how the results of decisions are measured and monitored. Although many organizations have some form of IT governance in place, the governance processes are ad hoc, siloed and informal.

Organizations need to first ensure that they have the appropriate governance structures in place; structures such as technology steering committees, architecture review boards and project review boards.

The second step is to ensure that the appropriate processes exist to guarantee consistency and transparency. For example, processes for proposing new projects, approving new IT investments and prioritizing IT projects.

Third, organizations need to ensure that there is appropriate communication and accountability to measure the outcomes of IT decisions, whether these decisions are technical, monitory, human resource, etc.,. Project status reports, ROI analysis and balanced scorecards would be examples of such communication and monitoring.

IT risk management helps mitigate adverse effects and identifies opportunities. IT risk management activities go far beyond traditional IT security responsibilities. As IT environments have become more complex and business reliance on technology has increased, CIO and CISOs are faced with a daunting challenge. Not only are they asked to deal with ever-increasing and multifaceted threats, but they are also challenged to provide increased capabilities within their businesses. That means successfully adapting to changing business needs and enhancing technology capabilities while guarding against adversity. An organization's technology architecture must support this effort though greater flexibility, automation and efficiency.

IT compliance establishes and monitors IT controls. IT compliance should ensure that an organization is not only adhering to laws and regulations, but is also taking into account corporate responsibilities and industry standards. An organization should also be mindful of corporate intellectual property protection responsibilities and develop a control framework based on industry standards such as COBIT.

Compliance activities include conducting regulatory research, mapping control requirements to regulations, designing IT controls, advising IT and third parties on control requirements and assessing and reporting compliance with regulatory and other requirements.

Many organizations are moving toward a common control framework that can meet multiple regulatory, legal and audit requirements simultaneously. Many software vendors now offer products with built-in mappings for multiple regulations, frameworks and management.

Take a unified approach to align IT GRC initiatives. IT GRC initiatives have traditionally been scattered across organizations without any coordination or synchronization. It's not uncommon for different business areas to develop their own solutions for the same requirement or for IT to deploy multiple technologies to address a common issue. These separate initiatives create inefficiency and make it very hard to assess and manage risks holistically.

"IT governance primarily determines how decisions are made, who makes the decisions, who is held accountable and how the results of decisions are measured and monitored.,

As a result, there is a growing demand for products that help IT organizations effectively break down these silos and create a centralized approach to managing risk and compliance while simultaneously ensuring good governance.

Ensuring IT GRC success To make an IT GRC program effective, CIOs and CISOs need to:

Understand dependencies and provide a common approach. Governance, risk and compliance functions depend on each other to be successful. The governance program measures against the control frameworks and IT compliance requirements to implement the IT strategy. The compliance program utilizes IT and business risks to rationalize the controls it needs to execute and maintain. Finally, the risk program determines risks based on IT governance activities and utilizes control activities and measurements from the compliance program to determine the existing risk profile for an organization. All three programs running in parallel, but in coordination with each other, are required for an effective GRC program.

Unify controls for IT risk and compliance. The processes for identifying and reporting IT risk and IT compliance may be different, but a common control framework can be to establish and measure security controls. Establishing a common control framework that fulfills the internal and external compliance requirements, while managing IT risk to corporate resources reduces duplication of effort, ensures consistency and breaks down the silos.

Enable IT governance by establishing accountability. Establishing accountability is an essential part of an IT GRC strategy that many organizations struggle with. The first step for establishing accountability is to ensure that roles, responsibilities, governance structures and processes are clearly articulated, communicated, and understood by a board of directors, executive management, business management, IT management, employees and shareholders. The second step is to ensure appropriate measurement and reporting mechanisms are in place in order to monitor and measure critical areas and adjust the course based on those measurements.

Align technology and processes for efficiency and consistency. Although technology plays an important part in automating, aggregation, analysis and reporting of IT controls, it's not the only ingredient CIOs and CISOs need to establish a core set of processes and define touch points between IT governance, risk and compliance activities. Once those processes are established, only then can technology help automate and augment those processes.

Coordinating and pushing a coherent IT GRC approach across different parts of the organization requires significant effort and persistence. The benefits may not be evident right away, but having a structured program ensures long-term benefits such as enhancing IT governance capabilities, helping mitigate IT threats more effectively and simplifying regulatory compliance.

About the authorKhalid Kark is a principal analyst at Forrester Research where he contributes to its offerings for security and risk management professionals. He is a leading expert in security management, compliance, best practices and services. For more information on Khalid or to review additional research, please visit: www.forrester.com/rb/analyst/khalid_kark.

1 comment

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

I agree that establishing a coherent IT GRC approach across different parts of the organization requires significant effort and persistence, especially in the area of communication, as the process areas have traditionally been siloed
I don’t agree that core processes and touch points between IT governance, risk and compliance activities need to be established prior to using technology to help automate and augment those processes. Technologies can be leveraged prior to the establishment of such processes and touch points to help identify and establish processes and touch points between and across the process areas and recognize commonalities. Employing technologies earlier in the IT GRC coordination effort also helps in reducing the amount of process rework required as recently established processes are reworked to better align with tools and technologies.